Penetration Testing for Professional Services Company
FRSecure provided penetration testing services for a professional services firm’s accounting software. They did both manual and automated testing. The team then delivered the test results through a report.
I’m the director of information systems and part of the executive team at FAC Services. We’re a shared services organization providing professional services that are mainly financial in nature to three clients operating in the architecture, engineering, and construction industries. Our company has a team of 60 people, who are mainly accountants, law people, and software developers. A fair amount of our tools are built in-house for ERP, labor management, and client building.
We had in-house software providing project accounting features as part of our services. It had a fairly wide scope and stored financial and sensitive data. When we pushed the software into production, we hired FRSecure to do penetration testing.
One of FRSecure’s testers did manual and automated testing on the security of our software. They then created a report on any vulnerabilities they found. It was purely a consulting-style service; they didn’t purchase any software or hardware. The service was done completely off-site.
What is the team composition?
I worked with one person in sales at the onset of our engagement. Then, an account manager took care of the scope of work and proposal. The rest of the project was done directly with FRSecure’s tester. A project manager was also involved in the effort.
How did you come to work with FRSecure?
The engagement started with a cold call. Our company liked to work with different testers to see different points of view. On top of that, I was also a part of the American Council for Engineering Companies. People in that organization had good things to say about FRSecure. As a result, we hired them.
The quality of FRSecure’s penetration testing report was much higher than we were used to; it was remarkably helpful. The debrief from the penetration tester was accurate. Usually, such reports either had too much jargon that I would have a hard time reading or were too long and had too much to look into — by contrast, FRSecure made sure that I understood every aspect of the report as an engineering manager. Moreover, the report included steps for my technical team to reproduce the findings. In other words, their deliverable was truly actionable and useful to my team.
How did FRSecure perform from a project management standpoint?
FRSecure finished the project 100% per the targeted deadline and within our budget. In terms of tools, they shared documents with us via SharePoint. Everything was simple because there were only 2–3 people involved. There was no need for any milestone-based report. All of our communication was done via Zoom.
What did you find most impressive about them?
The FRSecure team was truly cost-effective. A lot of opportunistic vendors existed in this field, but I found them to be reasonable. They were forthright, and their commercial practices were refreshing in that they were upfront and clear. We didn’t feel that money was wasted on things other than penetration testing.
Are there any areas they could improve?
No, there weren’t any. They were an ideal vendor, and I’d highly recommend them.
Do you have any advice for potential customers?
Take the time to present the software to FRSecure, and meet the penetration tester. Provide use cases for the tester. For example, I provided a matrix of different users with different permissions. This allowed the tester to focus on areas where we could escalate privileges to make the software more productive and enjoyable.